in accordance with Art. 12 ff GDPR

1. Introduction, applicability

1.1. This data protection information applies to the processing of personal data in the operations of Gassner GmbH, FN 196704x, Betriebsstraße 6, 4523 Neuzeug, office@gassner.at (hereinafter referred to as “Gassner”).

1.2. The protection of personal data and compliance with the relevant data protection regulations – currently Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”) and the Data Protection Act in its currently valid version (“DSG”) as well as the legal acts enacted on the basis thereof – are of the highest priority at Gassner. In accordance with Articles 12 and 13 of the GDPR, this privacy policy provides an overview of the personal data that Gassner processes in its operations, the purposes for which it does so, and how Gassner ensures the protection of this data.

1.3. This data protection information can be accessed electronically, printed, downloaded, and stored on a storage medium on the website: https://edelstahl-pool.at (“website”).

1.4. The terms used in this privacy policy are understood in accordance with the definitions in Article 4 of the GDPR.

2. Controller, data protection officer

2.1. The controller within the meaning of Article 4(7) of the GDPR is Gassner (see point 1.1. for contact details).

2.2. Since the requirements of Art. 37 (1) GDPR are not met, in particular since Gassner’s core business does not consist of carrying out data processing operations which, due to their nature, scope, and/or purposes, require extensive regular and systematic monitoring of data subjects, no data protection officer has been appointed at Gassner.

3. Processing of personal data

3.1. Gassner processes (see Art. 4(2) GDPR) personal data of natural persons (“data subjects”) in the course of its business only in compliance with the principles laid down in Art. 5 et seq. GDPR and only if at least one condition of lawfulness within the meaning of Art. 6 GDPR is fulfilled. The purpose and duration of processing are regulated by category in the following points. Gassner does not process any special categories of personal data within the meaning of Art. 9 (1) GDPR.

3.2. If necessary, i.e. if no other condition of lawfulness listed in Art. 6 GDPR applies (or as a precautionary measure in addition to this), Gassner will obtain the consent of the data subjects. If data subjects voluntarily disclose data not requested by Gassner, this data will not be “collected” by Gassner and the data subject thereby gives their express consent to the processing of this data by Gassner.

3.3. Gassner will only disclose, transfer, or pass on data to the extent that this is permitted or required by applicable law. The categories of recipients to whom Gassner discloses data are – apart from the recipients listed in category 4 – in particular Gassner’s processors in accordance with Art. 28 GDPR, authorities and courts, and, in the case of debt collection measures, collection agencies and lawyers. Gassner does not transfer data to recipients in a non-EU member state or to international organizations without consent. Gassner’s organizational units and employees receive the data they need to fulfill their duties.

3.4. No automated decision-making (“profiling”) takes place on Gassner’s digital services.

4. Collection of data from data subjects and processing thereof

4.1. Collection and processing of data when expressing interest in Gassner’s offers and when contacting Gassner

When expressing interest in Gassner’s offers and when contacting Gassner, data from interested parties and those making contact is processed on the basis of Art. 6 (1) (b) GDPR (implementation of pre-contractual measures) for the purpose of sending targeted offers and processing inquiries. The following categories of data are processed: access, master, contact, and correspondence/communication/content data. In order to respond to any inquiries and follow-up questions, the relevant data is stored for six (6) months and then automatically deleted, provided that no contractual relationship is established with the data subject.

4.2. Collection and processing of data for orders and the execution of contractual relationships

In the case of orders and the subsequent execution of contracts, the following data is collected from the data subjects and processed on the basis of Art. 6 (1) (b) GDPR for the purpose of fulfilling and executing the contract with the data subjects: Gender, first and last name, billing and delivery address (street, postal code, state), email address, order and contract data, billing and bank/account/payment data, and, if necessary, correspondence/communication/content data. The data of the persons concerned will be treated confidentially and – insofar as this is necessary for the fulfillment of the contract – passed on to the vicarious agents and/or executing (third-party) companies (e.g., suppliers, subcontractors, etc.) involved in the processing of the contractual relationship. The data will be processed and stored for as long as is necessary for the fulfillment of the contractual relationships (including post-contractual obligations) and for legal reasons (in particular for VAT purposes).

4.3. Collection and processing of technical data when accessing digital services

When accessing Gassner’s digital services, Gassner automatically collects and processes necessary (technical) data (access data and data through the use of cookies) of the data subjects for the purpose of operation, security, and optimization on the basis of Gassner’s legitimate interests in accordance with Art. 6 (1) (f) GDPR and, if necessary, on the basis of consent in accordance with Art. 6 (1) (a) GDPR (see points 7 and 8).

4.4. Processing of data for the purpose of sending an email newsletter

Gassner offers an email newsletter. Data subjects have the option of subscribing to the newsletter via the Gassner website. In this case, Gassner requires the email address of the data subject and their consent to receive the newsletter. Once the data subject has subscribed to the newsletter, Gassner sends a confirmation email with a link to confirm the subscription. The data provided when subscribing to the newsletter will only be used for sending the newsletter. Gassner uses the email address provided to send the newsletter. The data of the persons concerned is processed for this purpose by [ADAM Communication. GmbH], with whom Gassner has concluded an agreement on order processing in accordance with Art. 28 GDPR. When registering for the newsletter, the personal data in the contact fields (name, email address, and telephone number) is processed. The purpose of data processing is to send information about products, services, events, current job vacancies, and Gassner as an employer. The legal basis for processing is Art. 6 (1) (a) GDPR. Data subjects have the right to object at any time to the processing of data concerning them for the purpose of the newsletter. The revocation can also be made informally via the unsubscribe link in each newsletter.

4.5. Contact option via the website

The Gassner website has a contact form that enables quick electronic contact with Gassner and direct communication with Gassner. If data subjects contact Gassner via the contact form, the personal data they provide will be stored automatically. When contacting us via the contact form, the personal data in the contact fields (name, email address, and telephone number) will be processed. The purpose of data processing is to handle the data subject’s request. The legal basis for the processing is Art. 6 (1) (b) GDPR, which allows Gassner to process the data if this is necessary for the performance of a contract with Gassner or for the implementation of a pre-contractual measure.

4.6. Processing of data for the purpose of direct marketing

If Gassner receives the email address of data subjects in connection with the provision of a service, it is entitled, on the basis of its legitimate interest pursuant to Art. 6 (1) (f) GDPR, to send direct marketing by email in the form of information and mailings for its own or similar products. Data subjects have the right to object at any time (in particular when emails are sent) to the processing of data concerning them for the purpose of such advertising (see section 13.8.).

5. Collection of data from third parties

With the exception of automatically collected technical access data in accordance with point 7 and data collected via the website by necessary cookies in accordance with point 8, Gassner does not process any data that is not collected from the data subjects themselves.

6. Duration of data processing, retention and storage period

6.1. Gassner does not process and store data permanently, but only in accordance with the periods prescribed by the applicable legal provisions, and in any case only for as long as is necessary for the purposes for which the data was collected. Gassner stores data in a form that allows the identification of the data subjects only for as long as is necessary for the purposes for which it is processed.

6.2. If data is processed solely on the basis of consent, this data will be deleted immediately and will no longer be processed if the data subjects withdraw their consent in accordance with Art. 7 (3) GDPR. The same applies in the event of a legitimate objection pursuant to Art. 21 GDPR if data is processed solely on the basis of a legitimate interest pursuant to Art. 6 (1) (f) GDPR.

7. Collection of access data when accessing digital services

7.1. When you access its digital services (such as, in particular, the website), Gassner automatically collects and processes technical data about each access, which is considered personal data or could be used to identify the data subjects or personal data and which is stored in so-called server log files (“access data”). This includes the IP address, unique device identification, type and version of the operating system and browser, file name and path, type of transmission protocol, date and time of access, bytes transferred, referrer URL (previously visited page), and the requesting provider.

7.2. However, Gassner does not process this access data for the purpose of identifying individuals or determining other personal data, but exclusively for the purpose of operating, designing, adapting, improving, maintaining, optimizing, and further developing the digital services it operates (including functions, modules, and features), as well as for error detection and correction, maintaining system security, and adaptation, improvement, maintenance, optimization, and further development of the digital services it operates (including functions, modules, and features), as well as for error detection and correction, to maintain system security, and—if web analysis tools are used—for the purpose of internal statistical evaluation, without drawing any conclusions about the individuals concerned. No profiling takes place in this regard. The access data is deleted after 14 (fourteen) days.

8. Collection of data when accessing digital services through cookies

8.1. Cookies are files that are stored locally in the cache of the data subject’s Internet browser when digital services are accessed and which serve in particular to offer additional functions, to make the digital service more user-friendly, effective, and secure by recognizing the accessing Internet browser and storing temporary files, and – if web analysis tools are used – to enable an (anonymized) analysis of usage.

8.2. Cookies that are absolutely necessary for the functioning of digital services are used on the basis of Gassner’s legitimate interests pursuant to Art. 6 (1) (f) GDPR in operation, security, and optimization. Any other cookies are only processed on the basis of consent in accordance with Art. 6 (1) (a) GDPR, which the data subjects can give by actively clicking a tick box after being asked. Individuals have the option of revoking their consent at any time by deactivating and/or deleting cookies in their internet browser settings and specifying how long they are stored and when they are deleted. The procedure for doing so depends on the internet browser used by the individuals concerned. However, not accepting and deactivating cookies may result in certain functions and/or content of the digital services not working or not working as expected.

8.3. Session cookies are stored temporarily for the duration of the person’s access and are deleted after the browser is closed; permanent cookies remain stored on the person’s device until they are removed from their browser.

9. Facebook Pixel

9.1. On the basis of consent in accordance with Art. 6 (1) (a) GDPR, which can be given by actively clicking a tick box when visiting the website, the Gassner website also uses the so-called “Facebook Pixel”, which is integrated directly by the social network “Facebook”, operated by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), and sets cookies in the internet browser of the data subject. If the data subject then logs into Facebook or visits the website while logged in, the visit is noted in the data subject’s Facebook profile. The data collected about the data subject is anonymous to Gassner and does not allow any conclusions to be drawn about the identity of the data subject. However, the data is processed by Facebook.

9.2. With the help of the Facebook Pixel, Facebook is able to identify visitors to the website as a target group for the display of (advertising) ads (“Facebook Ads”). Accordingly, Gassner uses the Facebook pixel to display Facebook ads placed by Gassner only to Facebook users who have also shown an interest in Gassner’s online offering or who have certain characteristics (e.g., interests in certain topics or products, which are determined based on the website visited) that are transmitted to Facebook (so-called “custom audiences”). With the help of the Facebook pixel, Gassner wants to ensure that the Facebook ads correspond to the potential interests of the data subjects and do not have a harassing effect. With the help of the Facebook pixel, Gassner can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether data subjects were redirected to the website after clicking on a Facebook ad (so-called “conversion”).

10. Integration of third-party services and content, social plugins

10.1. Third-party plugins are also used on the website to integrate their content and services (such as videos). However, such plugins are only called up on the basis of consent in accordance with Art. 6 (1) (a) GDPR. If individuals consent to the use of such plugins, a connection to the third-party providers‘ servers is established and the corresponding plugin is called up. The content of the plugins is transmitted directly from the respective third-party provider to the browser of the person concerned. By calling up the plugins, the third-party providers receive the information that the browser of the person concerned has accessed the Gassner website, even if they are not registered with the third-party provider in question or are not currently logged in. The plugin transmits log data to the respective servers of the third-party providers. This log data contains the following information: IP address, the address of the website visited, which also contains plugin functions, type and settings of the browser, date and time of the request, how the plugin is used, and cookies.

10.2. The data is processed by the third-party providers in accordance with their respective data protection regulations. As the operator of the website, Gassner has no knowledge of the content of the data transmitted to the third-party providers or how it is processed. Third-party providers may use so-called pixel tags (invisible graphics or “web beacons”) for statistical or marketing purposes. In addition, pseudonymous information may be stored in cookies on the data subject’s device and may include technical information about the browser and operating system, referring websites, visit time, and other information about the use of the website, and may be linked to such information from other sources.

10.3. If the data subject is registered with the third-party providers and logged into the third-party providers‘ user accounts, the third-party provider can personally assign the user behavior of this person. The data subject can prevent this by logging out of their user account beforehand. If the person is not a member of the third-party provider, the third-party provider can still obtain and store certain data (see section 10.1.).

10.4. Apart from not giving their consent, persons can completely prevent the plugins from loading with add-ons for their browser, e.g. with the script blocker “NoScript” (http://noscript.net/). In addition, we would like to point out once again that it is possible to deactivate cookies (see section 8.2.).

10.5. The following table provides an overview of the third-party services used:

– Videos from the “YouTube” website of the third-party provider Google;

– Social plugins from the third-party provider Facebook;

– Social plugins from the “Instagram” service provided by the third-party provider Instagram, Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA (privacy policy: http://instagram.com/about/legal/privacy).

11. Data processing on behalf of Gassner

11.1. If data is processed on behalf of Gassner, it only works with processors within the meaning of Art. 4(8) GDPR who provide sufficient guarantees that appropriate technical and organizational measures are implemented in such a manner that the processing complies with the existing legal provisions and the protection of the rights of individuals is ensured. To this end, Gassner concludes appropriate contracts with its processors that comply with the requirements of Art. 28 GDPR and observes Art. 44 ff GDPR for processors based in third countries.

11.2. Gassner’s current processors are:

© comp.nets.go GmbH | Ennser Str. 83 / 2nd floor | 4407 Steyr-Dietach] (programming, IT/computer support)

– ADAM Communication GmbH |Großalmstraße 4 |4813 Altmünster (digital agency)

– Lorem Ipsum web.solutions GmbH Grieskai 10 – 2nd floor

A-8020 Graz (hosting and web space provider)

Microsoft (IT, software)

12. Security of data processing

Gassner takes appropriate and suitable technical and organizational measures to ensure the security of data and data processing in accordance with the criteria set out in Art. 32 GDPR and ensures that the data is protected against unauthorized or unlawful processing and against loss, damage, and alteration.

13. Rights of data subjects

13.1. Gassner protects the rights of data subjects in accordance with the applicable legal provisions. Under current law, data subjects are entitled to the rights listed below (in abstract terms). Data subjects can assert their rights by sending a specific request—preferably in writing (e.g., letter or email)—to Gassner (see point 1.1 for contact details). If the applicable legal provisions stipulate deadlines for processing the request, Gassner will comply with these.

13.2. Right to confidentiality

Gassner protects the fundamental right of data subjects to data protection in accordance with Section 1 (1) of the DSG and the right to data secrecy in accordance with Section 6 of the DSG.

13.3. Right to access and information

Under the conditions and in accordance with Articles 13 to 15 of the GDPR, data subjects have the right to access and information about the processing of their data by Gassner and about their rights.

13.4. Right to rectification and completion

Under the conditions and in accordance with Art. 16 GDPR, data subjects have the right to rectify inaccurate data and complete incomplete data concerning them.

13.5. Right to erasure

Under the conditions and in accordance with Art. 17 GDPR, data subjects have the right to request the immediate erasure of data concerning them.

13.6. Right to restriction of processing

Under the conditions and in accordance with Art. 18 GDPR, data subjects have the right to request the restriction of the processing of their data.

13.7. Right to data portability

Under the conditions and in accordance with Art. 20 GDPR, data subjects have the right to to receive data concerning them that they have provided to Gassner in a structured, commonly used, and machine-readable format and to transmit this data to another controller or to request Gassner to transmit the data it processes directly to another controller, insofar as this is technically feasible and does not adversely affect the rights and freedoms of others.

13.8. Right to object

Under the conditions and in accordance with Art. 21 GDPR, data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of data concerning them which is carried out on the basis of Art. 6 (1) (e) or (f) GDPR. In the event of a justified objection, Gassner will no longer process the data of these persons affected by the objection, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subjects, or the processing serves to assert, exercise, or defend legal claims. If the persons object to processing for direct marketing purposes, their data will no longer be processed for these purposes.

13.9. Right not to be subject to an automated decision

Under the conditions and in accordance with Art. 22 GDPR, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

13.10. Right of withdrawal

Pursuant to Art. 7 (3) GDPR, data subjects have the right to withdraw their consent to the processing of data concerning them at any time, without affecting the lawfulness of the processing carried out on the basis of the consent until withdrawal.

13.11. Right to lodge a complaint

Pursuant to Art. 77 GDPR in conjunction with § 24 DSG, data subjects have the right to lodge a complaint with the competent supervisory authority (data protection authority), without prejudice to any other administrative or judicial remedy.

13.12. Right to judicial remedy

Pursuant to Art. 79 GDPR in conjunction with § 27 DSG, data subjects have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them (right to appeal to the Federal Administrative Court), without prejudice to any other administrative or extrajudicial remedy.